Displaying 20 results from an estimated 900 matches similar to: "Expired passwords & PAM"
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users
noticed that it did not honor password expiration consistently with
other Solaris login services.
The patch below is against OpenSSH 2.2.0p1 and adds support for PAM
password changes on expiration via pam_chauthtok(). A brief summary of
changes:
auth-pam.c:
* change declaration of pamh to "static pam_handle_t *pamh",
1999 Dec 28
0
Patches to report rsaref build and to call pam_setcred
I've attached two patches. The first just changes the output of "ssh -V"
to print that it was built against rsaref if libRSAglue (which is built
as part of openssl only when it is built against rsaref) is present at
build-time. The second adds appropriate calls to pam_setcred() in sshd.
Without them, our systems can't access AFS because the PAM modules only
get tokens at a
2000 Aug 27
0
patch for TIS (skey/opie) *and* passwd auth via PAM
Hello,
appended is a patch that makes it possible to use PAM both for
password authentication and TIS (i.e. s/key or opie or any other
interactive challenge/response scheme). I have developed this starting
from the patch at http://www.debian.org/Bugs/db/61/61906.html on
Debian with openssh-2.1.1p4-3. After configuring ssh with
--with-pam-tis, there are two PAM services, "sshd" and
1999 Nov 22
0
OpenSSH 1.2pre14 fails on pam_open_session() ...
Anyone out there know more about PAM under Solaris 7/x86 then I do, that
can maybe tackle this, and/or suggestion a route to take to fix?
After doing some debugging, it looks like the problem is a seg fault at:
sshd.c:void pam_cleanup_proc(void *context)
===========================================
debug("PAM_retval(open_session) about to run");
pam_retval =
1999 Nov 22
1
[s-x86] OpenSSH 1.2pre14 fails on pam_open_session() ...
On Mon, 22 Nov 1999, Philip Brown wrote:
> [ Marc G. Fournier writes ]
> > debug("PAM_retval(open_session) about to run");
> > pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
>
> >
> > ===========================================
> >
> > so, its looking like I'm authenticated properly, but when trying to set up
> > the
2002 Dec 10
5
[PATCH] Password expiry with Privsep and PAM
Hi All.
Attached is a patch that implements password expiry with PAM and
privsep. It works by passing a descriptor to the tty to the monitor,
which sets up a child with that tty as stdin/stdout/stderr, then runs
chauthtok(). No setuid helpers.
I used some parts of Michael Steffens' patch (bugid #423) to make it
work on HP-UX.
It's still rough but it works. Tested on Solaris 8 and
2002 Dec 21
6
[PATCH] PAM chauthtok + Privsep
Hello All.
Attached is an update to my previous patch to make do_pam_chauthtok and
privsep play nicely together.
First, a question: does anybody care about these or the password
expiration patches?
Anyway, the "PRIVSEP(do_pam_hauthtok())" has been moved to just after
the pty has been allocated but before it's made the controlling tty.
This allows the child running chauthtok to
2001 Feb 10
1
[PATCH] Tell PAM about remote host earlier
I was browsing the OpenSSH sources (which are very readable, thankyou
very much) and noticed that PAM was only being told what host the user
is logging in from for account processing - not for password
processing. As I can see no reason not to put this in start_pam this is
exactly what I have done - and attached a patch to this effect.
This allows PAM to fill in rhost= in its audit messages
2003 Feb 20
0
"if 0" in auth-pam.c
Hi,
I was doing some research on why new openssh-versions (3.4 and 3.5p1)
doesnt ask you to change expired passwords (it just disconnects you) and
found something curious.
Line 259 of auth-pam.c has "#if 0" and then the code to set some vars
(eg. password_change_required to true) followed by an "endif". Why is
that? I'm not a C expert, but I think "if 0" is
1998 Oct 29
0
Digest.
Hi,
There have been a bunch of useful submissions for the compare /contrast
thread.
To reduce the load on your mailbox, they are gathered here in one go...
Roger.
Date: Wed, 28 Oct 1998 15:11:37 +0000
From: "David L. Sifry" <dsifry@linuxcare.com>
To: "Matthew S. Crocker" <matthew@crocker.com>
CC: Rob Bringman <rob@trion.com>,
2000 Jul 03
2
2.1.1p2 HP-UX 11 PAM General Commerical Security error
Trying 2.1.1p2 on HP-UX 11 (trusted system) I get:
Jul 3 14:24:53 robinson sshd[1236]: debug: Encryption type: 3des
Jul 3 14:24:53 robinson sshd[1236]: debug: Received session key; encryption turned on.
Jul 3 14:24:53 robinson sshd[1236]: debug: Installing crc compensation attack detector.
Jul 3 14:24:53 robinson sshd[1236]: debug: Starting up PAM with username "stevesk"
Jul 3
2004 Jul 09
1
passing remote ip to pam
to improve forensic log info i want to set the PAM_RHOST value to the
remote ip (which pam logs as rhost=foo in failure messages). i didn't
look to see if anything has been done in this way on CVS because i'm still
on 0.99.10.6.
below is a bit of a hack. in some sense the remote_ip might make more
sense in the AUTH_LOGIN_REQUEST_NEW packet rather than the continue
packet... but that
2002 Nov 20
0
[PATCH #9] Password expiration via /bin/passwd.
This is an attempt to simplify the AIX expiry-via-passwd stuff and make
it more generic. (There's actually a net reduction in #ifdefs).
Patch against CVS:
1) configure finds passwd.
2) sshd uses passwd during session if required.
3) sshd uses passwd for PAM change if privsep disabled.
4) sshd uses Buffers for expire and post-login messages (no longer AIX
specific).
5) password_change_required
2002 Oct 21
0
[Bug 419] New: HP-UX PAM problems with 3.5p1
http://bugzilla.mindrot.org/show_bug.cgi?id=419
Summary: HP-UX PAM problems with 3.5p1
Product: Portable OpenSSH
Version: -current
Platform: HPPA
OS/Version: HP-UX
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy:
2014 Apr 24
0
Help implementing username_format in auth PAM driver
While configuring my server with dovecot I noticed that the PAM
authentication driver does not support the username_format option as
does the password file driver. This didn't seem too hard to implement
so I through together a patch.
As you can see in the attached patch I only modify the username sent
to PAM. Despit doing this I run into the domain lost
2003 Dec 07
0
[PATCH] Do PAM chauthtok via keyboard-interactive.
Hi All.
Attached is another patch that attempts to do pam_chauthtok() via SSH2
keyboard-interactive authentication. It now passes the results from the
authentication thread back to the monitor (based on a suggestion from
djm).
Because of this, it doesn't call do_pam_account twice and consequently
now works on AIX 5.2, which the previous version didn't. I haven't tested
it on any
2002 Dec 05
1
patch to add a PAMServiceName config option
I append a patch against openssh-3.5p1.tar.gz which adds a config option
PAMServiceName. The option allows one to specify the PAM service at
runtime in the config file rather than using __progname or having it
hardwired to SSHD_PAM_SERVICE at compile time. I expect this to be useful
if one wants to run multiple instances of sshd using different PAM
configurations.
With this patch
2001 Nov 07
2
Flaw in empty password authentication in sshd
The auth-pam.c of sshd server contains a small flaw that allows empty
password logins even if "PermitEmptyPasswords" option in the sshd config
file is set to "no". The scenario is as follows:
Using ssh the user tries to logon to the machine using an account that has
empty password. If the user presses enter on the password prompt (NULL
password) access is
2002 Feb 27
0
[Bug 127] New: PAM with ssh authentication and pam_krb5 doesn't work properly
http://bugzilla.mindrot.org/show_bug.cgi?id=127
Summary: PAM with ssh authentication and pam_krb5 doesn't work
properly
Product: Portable OpenSSH
Version: 3.0.2p1
Platform: UltraSparc
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo:
2002 Feb 27
0
openssh & solaris
while trying to sort out the PAM incompatabilities between openssh 3.0.2p1
and solaris 8 and sun's pam_krb5 i got some things to work. i'm really not
sure where the appropriate place to submit patches is so for now i'm sending
them here.
this patch will allow PAM interoperability when using sun's pam_krb5 without
using the system login routine (this way X forwarding will